2 matches found
CVE-2019-14657
Yealink phones through 2019-08-04 have an issue with OpenVPN file upload. They execute tar as root to extract files, but do not validate the extraction directory. Creating a tar file with ../../../../ allows replacement of almost any file on a phone. This leads to password replacement and arbitra...
CVE-2019-14657
CVE-2019-14657 affects Yealink phones (through 2019-08-04) featuring an OpenVPN file upload where tar is executed as root to extract files without validating the extraction directory. An attacker can craft a tar containing ../../../../ to traverse directories and replace almost any file on the de...